DNScrypt dnscrypt installer for asuswrt

[bigeyes0x0]

Updated for beta12

@Protik This is outside of the discussion for this script. Check https://www.snbforums.com/threads/how-can-i-log-dns-querries.11608/ , https://superuser.com/questions/632898/how-to-log-all-dns-requests-made-through-openwrt-router and dnsmasq.conf man page http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html. You might want to look into logrotate to rotate the log or write a script to do that yourself with cru/crond.

 

[M@rco]

Updated for beta12

@bigeyes0x0, you might want to update the post with the link to the new installer script as well, to avoid confusion, as it still refers to beta9:

Install dnscrypt-proxy version 2 (beta9 at the moment) with following command:

 

[bigeyes0x0]

@bigeyes0x0, you might want to update the post with the link to the new installer script as well, to avoid confusion, as it still refers to beta9:

I just say beta for now as we have a new version every other day. The next beta will even be more awesome as there're some features added to further reduce my code to workaround for various chicken egg problems when using this proxy.

On the other hand, I'm kinda tired with the flurry of betas.

 

[M@rco]

Sounds good to me. Looking forward to the next beta. Current installer works like a charm, btw. Thanks!

One remark on the current (beta12) installer, not sure wether on purpose, but nevertheless it might be worth mentioning. During executing the installer you ask for an initial DNS-server, quad9 by default, whichs gets added to dnsmasq.conf. However, if the user specifies a different dns server, it's not being added to dnscrypt-proxy.toml as fallback:

## Fallback resolver
## This is a normal, non-encrypted DNS resolver, that will be only used
## for one-shot queries when retrieving the initial resolvers list, and
## only if the system DNS configuration doesn't work.
## No user application queries will ever be leaked through this resolver,
## and it will not be used after IP addresses of resolvers URLs have been found.
## It will never be used if lists have already been cached, and if stamps
## don't include host names without IP addresses.
## It will not be used if the configured system DNS works.
## A resolver supporting DNSSEC is recommended. This may become mandatory.
fallback_resolver = "9.9.9.9:53"

Not sure you've done that on purpose?

I also have a feature request to consider for when it's stable: Would you consider building in an option to check during install wether there's an existing config file and ask the user if it wants to keep using the existing config or start fresg? Maybe it's possible to skip several questions and copy the values from, let's say dnscrypt-proxy.toml.old, to the new config file and only ask user input on new variables/functionality (if any). An option to reconfigure afterwards could be used to start completely fresh with the default. It's not mandator by far, would be nice-to-have and might be more convenient to a broader public.

@Protik, the functionality you are looking for is already included in dnscrypt-proxy v2 since a few betas ago. Just edit /jffs/dnscrypt-proxy/dnscrypt-proxy.toml and remove the hash before the line file = 'query.log' as shown below and a file will be created in the same directory where the executable is. You can also specify a full path if you want to store it elsewhere, for example to have the file deleted on reboot. If you wish to keep logging dns queries, I suggest you do this on usb instead of jffs, by specifying an absolute path to /tmp/mnt/<your_usb>/<folder_name>/query.log. A restart of dnscrypt-proxy or rebooting your router is required for these changed settings to take effect.

###############################
#        Query logging        #
###############################
## Log client queries to a file
[query_log]
## Path to the query log file (absolute, or relative to the same directory as the executable file)
file = 'query.log'

My assumption was as it is mentioned in the toml file, it would work out of the box. But apparently not.

Just tested it, it does. Tested it before, it worked then, but maybe it got broken in between betas. In beta 12 it works as supposed to, I'm looking at it now (see attached file).

 

[Deleted member 28123]

@bigeyes0x0 Many thanks for the latest beta release. The dnscrypt process has crashed several times since updating this morning with the error (loglevel 0):

Jan 31 07:38:47 dnscrypt-proxy[7790]: Stopped.

I noticed the daemonize option was removed in beta12. Also, there appears to be a time difference of -4 hours between dnscrypt's logs and the router's logs:

Jan 31 11:39:12 xxxxxxx: Start dnscrypt-proxy
Jan 31 07:39:13 dnscrypt-proxy[8007]: Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
Jan 31 07:39:13 dnscrypt-proxy[8007]: Starting dnscrypt-proxy 2.0.0beta12
Jan 31 07:39:13 dnscrypt-proxy[8007]: Now listening to 127.0.0.1:65053 [UDP]
Jan 31 07:39:13 dnscrypt-proxy[8007]: Now listening to 127.0.0.1:65053 [TCP]
Jan 31 07:39:13 dnscrypt-proxy[8007]: Refreshing certificates
Jan 31 07:39:13 dnscrypt-proxy[8007]: [d0wn-gr-ns1] OK (crypto v1) - rtt: 195ms
Jan 31 07:39:14 dnscrypt-proxy[8007]: [d0wn-is-ns1] OK (crypto v1) - rtt: 146ms
Jan 31 07:39:14 dnscrypt-proxy[8007]: [scaleway-fr] OK (crypto v2) - rtt: 112ms

Edit: Noticed the router's syslog display level was set at 'info'. I've set that to debug for all and will report back. Cheers!

 

[M@rco]

Also, there appears to be a time difference of 4 hours between dnscrypt's logs and the router's logs:

That's odd, I have no differences here:

Jan 31 08:03:56 RT-AC68U marco:  Started pixelserv-tls (AB-Solution) from .
Jan 31 08:03:56 RT-AC68U custom_script:  Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jan 31 08:03:56 RT-AC68U marco:  AB-Solution added entries via /jffs/scripts/post-mount
Jan 31 08:03:56 RT-AC68U rc_service:  hotplug 666:notify_rc restart_nasapps
Jan 31 08:03:56 RT-AC68U rc_service:  waitting "restart_dnsmasq" via  ...
Jan 31 08:03:57 RT-AC68U Skynet:  [INFO] Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/ENTWARE) (pid=660) - Exiting
Jan 31 08:03:57 RT-AC68U marco:  AB-Solution added entries via ab_dnsmasq_postconf.sh
Jan 31 08:03:57 RT-AC68U marco:  AB-Solution linked ab_dnsmasq_postconf.sh via /jffs/scripts/dnsmasq.postconf
Jan 31 08:03:58 RT-AC68U Skynet:  [INFO] Startup Initiated... ( debug banmalware autoupdate usb=/tmp/mnt/ENTWARE )
Jan 31 08:03:59 RT-AC68U iTunes:  daemon is stopped
Jan 31 08:03:59 RT-AC68U FTP_Server:  daemon is stopped
Jan 31 08:04:00 RT-AC68U Samba_Server:  smb daemon is stopped
Jan 31 08:04:00 RT-AC68U kernel:  gro disabled
Jan 31 08:04:01 RT-AC68U Timemachine:  daemon is stopped
Jan 31 08:04:01 RT-AC68U kernel:  gro enabled with interval 2
Jan 31 08:04:02 RT-AC68U Samba_Server:  daemon is started
Jan 31 08:04:03 RT-AC68U FTP_server:  daemon is started
Jan 31 08:04:05 RT-AC68U kernel:  ip_set: protocol 6
Jan 31 08:05:00 RT-AC68U crond:  USER marco pid 2145 cmd service restart_letsencrypt
Jan 31 08:05:00 RT-AC68U rc_service:  service 2146:notify_rc restart_letsencrypt
Jan 31 08:14:57 RT-AC68U kernel:  warning: `vsftpd' uses 32-bit capabilities (legacy support in use)
Jan 31 08:33:19 RT-AC68U dnscrypt-proxy:  [cisco] OK (crypto v1) - rtt: 11ms
Jan 31 08:33:19 RT-AC68U dnscrypt-proxy:  [cisco] OK (crypto v1) - rtt: 15ms

I'm in CET, most likely the same timezone as Frank Denis, the author of dnscrypt-proxy v2, so it might be he has CET of GMT+1 hardcoded somewhere in the source code.

 

[bigeyes0x0]

One remark on the current (beta12) installer, not sure wether on purpose, but nevertheless it might be worth mentioning. During executing the installer you ask for an initial DNS-server, quad9 by default, whichs gets added to dnsmasq.conf. However, if the user specifies a different dns server, it's not being added to dnscrypt-proxy.toml as fallback:

Not sure you've done that on purpose?

I also have a feature request to consider for when it's stable: Would you consider building in an option to check during install wether there's an existing config file and ask the user if it wants to keep using the existing config or start fresg? Maybe it's possible to skip several questions and copy the values from, let's say dnscrypt-proxy.toml.old, to the new config file and only ask user input on new variables/functionality (if any). An option to reconfigure afterwards could be used to start completely fresh with the default. It's not mandator by far, would be nice-to-have and might be more convenient to a broader public.

Intended, because I'm waiting for ignore_system_dns to make that feature complete to remove some of my workarounds.

Regarding the feature you mentioned, it's a lot of coding but I already did plan on doing it sometime in the future, one of the reasons I split the config operation out.

@bigeyes0x0 Many thanks for the latest beta release. The dnscrypt process has crashed several times since updating this morning with the error (loglevel 0):

Jan 31 07:38:47 dnscrypt-proxy[7790]: Stopped.

I noticed the daemonize option was removed in beta12. Also, there appears to be a time difference of 4 hours between dnscrypt's logs and the router's logs

Time difference is known issue, nothing I can do on my side, I have asked Frank and unfortunately he couldn't reproduce it on his full blown Linux system, so we just have to wait.

As for your daemon issue, Frank removed the feature with the same reason I told you. As far as everyone does nowadays, they do not use this feature anymore, and it's practically the same as running process in background. So I suggest you to turn on full log (level 0) and bring the error log to here and Frank on github https://github.com/jedisct1/dnscrypt-proxy/issues

 

[Deleted member 28123]

So I suggest you to turn on full log (level 0) and bring the error log to here and Frank on github https://github.com/jedisct1/dnscrypt-proxy/issues

Will do. Cheers and thanks again for your time and effort!

 

[bigeyes0x0]

That's odd, I have no differences here:

I'm in CET, most likely the same timezone as Frank Denis, the author of dnscrypt-proxy v2, so it might be he has CET of GMT+1 hardcoded somewhere in the source code.

Nice clue, can you reopen a new issue on this with Frank? It does annoy my engineering OCD. I did tell him about it in https://github.com/jedisct1/dnscrypt-proxy/issues/20 but it's a mess with lots of stuffs there so better to have a new issue for it. I did export the TZ environment var before running dnscrypt-proxy so we just need to push him to read that into the process if possible.

 

[M@rco]

Nice clue, can you reopen a new issue on this with Frank? It does annoy my engineering OCD. I did tell him about it in https://github.com/jedisct1/dnscrypt-proxy/issues/20 but it's a mess with lots of stuffs there so better to have a new issue for it. I did export the TZ environment var before running dnscrypt-proxy so we just need to push him to read that into the process if possible.

Done: https://github.com/jedisct1/dnscrypt-proxy/issues/57

@AtAM1 I took the liberty of using the excerpt of your logfiles as an example for Frank, as I don't have the issue myself. Would you mind sharing what timezone you're in?

 

[M@rco]

Frank just commited a change, which might be the solution to the time issue. Hopefully this is solved when the next beta is released

https://github.com/jedisct1/dnscrypt-proxy/commit/1bbc7e954027ac68c44514e6b5487d2ddcf76ec8

 

[Deleted member 28123]

Done: https://github.com/jedisct1/dnscrypt-proxy/issues/57

@AtAM1 I took the liberty of using the excerpt of your logfiles as an example for Frank, as I don't have the issue myself. Would you mind sharing what timezone you're in?

GMT+4 .. Going over the commit now. I also manually added the daemonize option and the process hasn't crashed for the past hour.

Thanks Marco!

Update: dlog.go ... .Local() was missing which explains the 4 hours difference.

 

[DonnyJohnny]

GMT+4 .. Going over the commits now. I also manually added the daemonize option and the process hasn't crashed for the past hour.

Thanks Marco!

Same here..

I also did some test. When I off the cache, the crash takes longer time to happen but eventually it still get terminated. I strongly believe it got something to do with memory issue. I do have 1gb swap and I don’t see Skynet nor ab-solution crashing. Only dnscrypt-proxy. I didn’t experiment with the installer here. Just my initial setup.

 

[bigeyes0x0]

Same here..

I also did some test. When I off the cache, the crash takes longer time to happen but eventually it still get terminated. I strongly believe it got something to do with memory issue. I do have 1gb swap and I don’t see Skynet nor ab-solution crashing. Only dnscrypt-proxy. I didn’t experiment with the installer here. Just my initial setup.

GMT+4 .. Going over the commits now. I also manually added the daemonize option and the process hasn't crashed for the past hour.

Thanks Marco!

The problem is not the proxy running stable with daemonized mode but without, thus we need to see the full log (level 0) when it crashes, that way both I and Frank can see what the problem is. If you can't provide it, I and Frank won't be able to look at it as we don't have the issue.

 

[Deleted member 28123]

The problem is not the proxy running stable with daemonized mode but without, thus we need to see the full log (level 0) when it crashes, that way both I and Frank can see what the problem is. If you can't provide it, I and Frank won't be able to look at it as we don't have the issue.

I can but all I am getting with debug loglevel 0 configured to log to syslog and/or by directly logging to a file is this:

[2018-01-31 10:52:39] [NOTICE] Stopped.

Is the software's logging function broken? Can someone confirm if they are able to get anything beyond notice/info messages?

 

[bigeyes0x0]

Hum, in that case, both of you might want to report it to Frank. He might enable some more logging so we can better understand your problem.

 

[DonnyJohnny]

May I check if you all enable the dnssec validation in the router GUI at LAN, DHCP Server?

Do u have haveged installed via the installer?

 

[skeal]

May I check if you all enable the dnssec validation in the router GUI at LAN, DHCP Server?

Do u have haveged installed via the installer?

My own setup I have haveged installed and I do not have dnssec enabled in gui LAN settings.

 

[M@rco]

May I check if you all enable the dnssec validation in the router GUI at LAN, DHCP Server?

Do u have haveged installed via the installer?

Yes you may

No, I don't have DNSSEC enabled. Yet, I should say, as I saw a commit that DNSSEC might become mandatory for the fallback dns server.

## A resolver supporting DNSSEC is recommended. This may become mandatory.

Yes, I have Haveged installed thru the installer.

 

[DonnyJohnny]

I am slowing trying to close the possibility of what went wrong with the dnscrypt-proxy auto terminate if I don’t set daemonize to true.
Now I installed haveged via entware instead of installer.. I will monitor first. Later if still terminate, I will disable dnssec validation to try. Coz our setting can’t differ too much and I don’t understand why your process didn’t terminate but mine did.. lol we both using ac68u right?